How Passwordless Authentication Works

When considering passwordless authentication, many people naturally wonder how it works. While the experience is a bit different than using passwords, it’s quite simple and fast. Users love it because there are no passwords to remember and manage. IT professionals love it because by using the right platform, such as IBM Verify Access, they can take themselves out of the loop of supporting password problems.

Businesses love passwordless authentication because it’s more secure. According to the 2023 IBM X-Force Threat Intelligence Report, 58% of phishing kits sought passwords from users, which a more sought after than credit card numbers.

How Passwordless Authentication Works

While traditional password authentication is based on something you know — your password — passwordless authentication is based on something you have, such as a physical security key that plugs into a USB drive on your computer. Alternatively, a smartphone can be used as a security key.

Instead of logging into providers and services one at a time, typing in a username and password each time, passwordless authentication only requires you to type in your username and touch the security key. That’s it. You now have secure access to any service or software you’ve elected to connect to.

Alternatively, you can use your smartphone as a security key. In this case, after typing in your username, IBM Verify Access uses facial recognition on the phone to authenticate you.

Passwordless authentication can be used across any service that supports FIDO2, which is now a common standard supported by Google, Apple, Microsoft, and most other service providers and software companies.

Passwordless Authentication Provides Better Security

Passwordless authentication is more secure than passwords because passwords can be easily exposed. This is why they’re the gateway to most breaches. With passwordless authentication, there’s nothing to expose. Maybe that’s why Google hasn’t had a breach since it implemented passwordless authentication for its 80,000 employees and contractors more than a decade ago.

The biggest benefit of verifying a person’s identity without using a password is it eliminates phishing as a threat. While organizations invest a lot of money in cybersecurity, phishing still does an end-run around your controls. Unfortunately, this happens all too often, sometimes making headlines and in all cases, disrupting operations. A successful phishing attack can have a severe impact on the business.

Better, More Secure Access for Users

Many organizations have a need to offer privileged access to third parties, such as contractors, suppliers, and business partners. IBM Verify Access includes features to limit the timeframe that third-party users can access your IT resources. If a contractor is working with you for a few months, you can set up access privileges to start and end on specific dates. Or, if you have a technician coming in for service, access can be limited to specific hours.

In addition, you can completely — or nearly completely — eliminate passwords and password managers from your work life, including waiting for IT to reset your password if you’re having an access problem.

Other user benefits include the ability to:

• Remotely lock access to your computer using a smartphone
• Access computers when offline, such as when on an airplane
• Scan a QR code to securely gain access to any shared computer, which is common for airlines, retail, and other industries.

Less Work for IT

Passwordless authentication also eases the burden for IT. Because users select the resources they want to connect to through a self-service portal, they don’t have to rely on IT personnel to handle this. So, most organizations see a reduction in support tickets for authentication issues, helping to cut costs and enable IT professionals to focus on other matters.

New Legislation Mandates Passwordless Authentication

If eliminating phishing as a threat isn’t a big enough motivation for going passwordless, governments in Canada and the United States have legislation in place or in the works to make passwordless authentication mandatory for critical infrastructure industries such as banking and financial services. For example, under Bill C-36 in Canada, banks and financial institutions are no longer allowed to use SMS or tokens to authenticate users starting in 2025.

This is in response to the current geopolitical situation in Europe, where governments are working to protect critical assets that may come under attack by thousands of state-sponsored hackers in China, Russia, Iran, North Korea, and many other countries, who are constantly working to compromise Canadian businesses.

Reduce Risk Now

Passwordless authentication turns out to be a win-win-win for users, IT, and the organization as a whole. With less friction between the user and their resources, employees can be more productive. With fewer service tickets and management tasks, IT personnel can attend to other matters. And with no possibility of a phishing and ransomware attack, organizations expose themselves to significantly less risk.

And if you’re moving to hybrid cloud, implementing passwordless authentication now with IBM and ITSAFE will simplify identity and access management and help you reduce risk sooner rather than later, when it may be too late.